inspector icon indicating copy to clipboard operation
inspector copied to clipboard
verified publisher icon modelcontextprotocol

Dynamic Client Registration with 3rd party Auth providers (e.g. Okta)

Open KKonstantinov opened this issue 5 months ago • 5 comments

Describe the bug Whenever using the MCP inspector to test an OAuth 2.0 flow, a several issues become evident:

  • Dynamic Client registration is enforced in the inspector (can see issue #167 and the PR raised against it already). Private enterprises will not want to expose DCR in all cases, but rather work with clients already registered in another way. (e.g. via API gateways that already handle client registration is one way, and of course it'll vary per organisation)
  • Even with Dynamic Client registration, the inspector sending a request to a 3rd party authorization server (example: Okta) on its DCR endpoint (https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/Client/) will lead to a CORS error. However, testing with something like Claude for example - the DCR request is sent successfully with no CORS errors.

To Reproduce Steps to reproduce the behavior:

  1. Start the guided OAuth2.0 flow
  2. Have your .well-known/oauth-authorization-server point to a 3rd party auth server (e.g. Okta/Auth0)

Expected behavior No CORS error.

Logs

Image Image

KKonstantinov avatar Jun 28 '25 19:06 KKonstantinov

Perhaps related to the another issue reported that MCP inspector sends an empty body in the client registration request ? it gives the same error with my own Oauth2 authentication server.

symdeb avatar Jul 03 '25 07:07 symdeb

I think the issue is that inspector is performing auth as an SPA instead of a backend web api like Claude and others. The latter don't require CORS

dr3s avatar Jul 25 '25 11:07 dr3s

There's been a few updates related to the issues mentioned here since it was last opened - @KKonstantinov @cliffhall do you think we can close this now? Thanks!

olaservo avatar Oct 13 '25 13:10 olaservo

There's been a few updates related to the issues mentioned here since it was last opened - @KKonstantinov @cliffhall do you think we can close this now? Thanks!

You can supply the Client ID and Client Secret in the sidebar. Image

However, it is a good point that the /token endpoint of the AS may not have CORS open to all origins.

We have a another similar complaint which suggests using the proxy for the auth flow. This would require what I believe would be a significant refactor, but it does make sense.

For the ins and outs of what a refactor might require, I suggest we take up the discussion in Discord.

cliffhall avatar Oct 18 '25 19:10 cliffhall

@cliffhall Maybe adding a if (connectionType === "proxy") ... else ... in handleAuthError would already be enough. In case of using the proxy it would call a single oauth endpoint in the proxy, do all the metadata discovery and oauth flow and respond with the access and refresh tokens. For the "OAuth Flow Progress" it is a different story, but it might be enough to just output a warning that no proxy is being used and thus CORS policy applies. Currently it just fails with "Failed to discover OAuth metadata".

ov-developer avatar Oct 19 '25 09:10 ov-developer